- 212/2024
- High
Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play that’s designed to target VMware ESXi environments.
Play ransomware, also known as PlayCrypt, was first observed in late June 2022 targeting various industries, such as finance, education, healthcare, insurance, technology, and telecommunications.
Play ransomware is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. Encrypted files may have their extensions changed to “.play” to indicate they have been encrypted by the Play ransomware.
Security researchers have found that the mentioned ransomware gang uses the URL-shortening services provided by a threat actor tracked as Prolific Puma.
The Tactics and Techniques of Play Ransomware:
o Initial Access:
- Play ransomware operators use compromised valid accounts to gain initial access to the target network.
- The threat actors use publicly exposed RDP and VPN servers to establish a foothold in the target system.
o Discovery:
- The threat actor attempts to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation using “Netscan”.
o Lateral Movement and Execution:
- Play ransomware group utilizes tools like PsExec to move freely across the network without any restrictions.
- Threat actors abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.).
o Defense Evasion:
- Threat actors disable the security controls in the victim’s environment and then delete files left behind by the actions of their intrusion activity created on the system.
o Command and Control:
- Play Ransomware group uses Domain Generation Algorithms (DGAs) to dynamically identify destination domains for command and control traffic rather than relying on a list of static IP addresses or domains.
o Exfiltration:
- The threat actor steals data by exfiltrating it over their existing command and control channel after compressing the victims’ files using WinSCP and splitting data into segments.
o Impact:
- Play ransomware uses the generic RSA-AES hybrid cryptosystem to encrypt VM files, including VM disk, configuration, and metadata files. Then append a “.play” extension to the encrypted files.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
- Keep the ESXi environment and associated management software up to date to protect against known vulnerabilities.
- Regularly audit and correct misconfigurations within ESXi environments, as these can create vulnerabilities that ransomware can exploit. Implementing strong configuration management practices can help ensure that settings adhere to security best practices and reduce the risk of exploitation.
- Implement robust authentication and authorization mechanisms, such as multifactor authentication (MFA), and restrict administrative access.
- Apply network segmentation by segregating critical systems and networks to limit the spread of ransomware.
- Disable unnecessary and unused services and protocols, restrict access to critical management interfaces and implement strict firewall rules to limit network exposure. VMWare provides various guidelines and best practices on how to secure ESXi environments.
- Maintain frequent and secure backups of all critical data.
- Ensure that backups are stored offline and tested regularly to verify their integrity.
- Deploy solutions and develop an incident response plan to promptly and proactively address suspicious activities.
- Search for existing signs of the indicated IOCs in your environment.
- Block IOCs at the organization’s security devices.
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.